Full Report
A vulnerability has been discovered in WatchGuard Fireware OS, which could allow for unauthenticated arbitrary code execution. WatchGuard Fireware is the proprietary operating system that powers WatchGuard's Firebox appliances. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to execute arbitrary code on the system.
Analysis Summary
# Vulnerability: Arbitrary Code Execution in WatchGuard Fireware OS via IKEv2 Out-of-bounds Write
## CVE Details
- CVE ID: CVE-2025-14733
- CVSS Score: [Score not provided in source, but described as high-risk/actively exploited] (Severity based on description: Critical/High)
- CWE: Out-of-bounds Write (Inferred from technical summary)
## Affected Systems
- Products: WatchGuard Firebox appliances running Fireware OS
- Versions:
* Fireware OS 11.10.2 up to and including 11.12.4_Update1
* Fireware OS 12.0 up to and including 12.11.5
* Fireware OS 2025.1 up to and including 2025.1.3
- Configurations: Vulnerable if the Firebox was configured with either:
1. Mobile user VPN using IKEv2, OR
2. Branch office VPN using IKEv2 with a dynamic gateway peer.
* **Note:** The vulnerability may persist even if the configurations above are deleted, *if* a branch office VPN to a static gateway peer is still configured.
## Vulnerability Description
A remote, unauthenticated attacker can exploit an Out-of-bounds Write vulnerability within the `iked` process of WatchGuard Fireware OS. This flaw is directly related to configurations involving IKEv2 (both Mobile User VPNs and Branch Office VPNs using dynamic peers). Successful exploitation allows the attacker to execute arbitrary code on the target system. This falls under the MITRE ATT&CK tactic Initial Access (TA0001) via Exploit Public-Facing Application (T1190).
## Exploitation
- Status: Exploited in the wild (Threat actors are actively attempting exploitation)
- Complexity: Not explicitly rated, but unauthenticated remote code execution typically implies Low to Medium complexity.
- Attack Vector: Network
## Impact
- Confidentiality: High (Likely, due to arbitrary code execution)
- Integrity: High (Likely, due to arbitrary code execution)
- Availability: High (Likely, due to arbitrary code execution/system compromise)
## Remediation
### Patches
- Apply appropriate, tested updates provided by WatchGuard immediately. (Specific fixed versions are not listed in the source material, refer to vendor advisory.)
### Workarounds
- None explicitly listed as formal workarounds, but mitigation should center on immediate patching as it is being actively exploited.
## Detection
- Indicators of Compromise: System logs indicating anomalies or unauthorized activity within the `iked` process or unexpected execution paths following IKEv2 connection attempts.
- Detection methods and tools: Utilize capabilities to detect and block conditions indicative of a software exploit attempt (per Safeguard M1050). Ensure anti-exploitation features (like DEP, WDEG where applicable) are enabled.
## References
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14733
- WatchGuard: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027